TL;DR: Active Directory remains embedded in hybrid environments because most organisations still need on-premises control, application compatibility, and cost predictability, while Microsoft survey data shows 93% of respondents describe their estates as hybrid and 54% still run workloads on-premise with AD. The practical issue is not whether cloud wins, but how identity governance adapts to a multi-polar operating model.
At a glance
What this is: This analysis argues that Active Directory is not disappearing quickly and is instead becoming a durable part of hybrid identity architectures.
Why it matters: It matters because IAM, PAM, and lifecycle governance must keep working across cloud-first and on-premises estates rather than assuming a single migration endpoint.
By the numbers:
- 93% described themselves as "hybrid"
- 54% still run workloads on-premise with Active Directory
- 36% believe their organizations will never be cloud-only
👉 Read IS Decisions' analysis of Active Directory's hybrid future
Context
Active Directory is still the identity control plane for many enterprises that have adopted cloud services without fully retiring on-premises infrastructure. The article's core point is simple: hybrid identity is not a temporary detour for most organisations, and IAM programmes need to account for that reality rather than planning around a clean cutoff.
That matters for governance because the controls surrounding human access, service accounts, and privileged administration rarely move in lockstep with application migration. When the environment stays split, security teams have to manage identity, access, and policy consistency across both sides at once, which is where drift and blind spots usually begin.
Key questions
Q: How should security teams govern identity in hybrid Active Directory and cloud environments?
A: Security teams should govern hybrid identity as one estate with multiple control planes. That means aligning lifecycle management, privileged access, and access review across Active Directory and cloud identity services, then closing gaps where one system can grant access that the other cannot see. The goal is consistent policy enforcement, not parallel administration.
Q: Why do organisations keep Active Directory even after moving heavily to the cloud?
A: Organisations keep Active Directory because many applications, control requirements, and cost structures still depend on it. Cloud adoption rarely removes those dependencies at the same speed that new services are introduced. For many enterprises, AD remains a necessary part of access governance, especially where local control and regulatory constraints matter.
Q: What breaks when access reviews are run separately for cloud and Active Directory?
A: Separate reviews usually miss the full privilege picture. A user may hold related access across both platforms, but neither review shows the combined risk. That creates entitlement drift, weak recertification, and unresolved administrative overlap. Effective governance requires one view of identity across the whole environment, not two partial ones.
Q: Who is accountable for hybrid identity risk when control is split between platforms?
A: Accountability sits with the organisation, not the platform. Hybrid identity risk becomes a governance issue when no single team owns the combined access model across cloud and on-premises systems. Security, IAM, and infrastructure leaders need shared responsibility for policy, review, and remediation across the full identity estate.
Technical breakdown
Why Active Directory persists in hybrid identity architectures
Active Directory persists because it still performs jobs that many cloud identity stacks do not replace cleanly. Legacy applications, local control requirements, cost constraints, and regulatory expectations all keep on-premises identity relevant. In practice, organisations rarely migrate identity in a single move. They preserve AD for existing workloads while extending access into cloud services through federation, synchronisation, and layered security controls. That makes AD less a dead-end than a long-lived platform with a different operating role from cloud-native identity.
Practical implication: design identity controls for coexistence, not replacement, and treat AD as a continuing security boundary.
Hybrid IAM creates control fragmentation across cloud and on-premises
Hybrid environments split identity signals across multiple control planes, which complicates policy enforcement, visibility, and access review. A user can authenticate through one system, hold privileges in another, and trigger workload access somewhere else entirely. That fragmentation makes recertification, privileged access governance, and session monitoring harder because the authoritative picture of access is distributed. The article's hybrid data shows this is now the normal state for many enterprises, not an edge case.
Practical implication: unify entitlement visibility across cloud and AD before tightening policy at the edge.
Why layered security remains essential for Active Directory
The article treats AD as securable only when modern security layers are added on top. That means controls such as MFA, SSO, contextual access restrictions, and session governance are not optional extras. They compensate for the fact that core directory services were designed in a different era and do not natively solve every modern access problem. In a hybrid estate, the real question is whether the organisation has extended AD safely enough to match the access patterns of cloud-connected users and systems.
Practical implication: map your AD hardening stack to current access patterns rather than assuming the directory itself provides sufficient control.
Threat narrative
Attacker objective: The objective is to exploit identity fragmentation across hybrid environments to gain broader access and evade consistent governance.
- Entry occurs through the normal expansion of hybrid estates, where cloud services and on-premises Active Directory coexist rather than being fully separated.
- Escalation happens when fragmented identity control and incomplete security layering leave access decisions distributed across multiple systems.
- Impact is persistent governance drift, with inconsistent policy enforcement, weaker visibility, and a larger attack surface across the combined identity estate.
Breaches seen in the wild
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Hybrid identity is now the structural baseline, not a transition state. The article's data supports what many IAM teams already see in practice: most enterprises are living with both AD and cloud identity rather than moving cleanly from one to the other. That means identity strategy must be built for coexistence, policy consistency, and long migration horizons. Practitioners should stop treating hybrid as a temporary exception.
Active Directory is a governance platform, not a retirement placeholder. The article's central argument is that AD remains useful because it still anchors access, control, and local policy in environments where cloud identity alone is not enough. That framing matters because lifecycle, privileged access, and access review obligations do not disappear when workloads move partially to the cloud. Practitioners should govern AD as an active control plane.
Identity sprawl across cloud and on-premises increases control drift faster than migration speed reduces it. A hybrid estate creates more places for access to exist, more ways for policy to diverge, and more opportunities for administrators to lose a complete view of privilege. That is not a vendor problem, it is an operating-model problem. Practitioners should measure drift across the full identity estate, not within one platform.
Over-centralisation is a resilience problem as much as a security problem. The article's point about infrastructure disruption illustrates a broader principle: putting too much digital dependence into one control centre can create systemic exposure. For IAM leaders, the lesson is to avoid assuming that a single identity destination will eliminate complexity. Practitioners should design for distributed control with clear governance boundaries.
Layered control remains the only realistic way to secure a decades-long directory estate. Active Directory does not become modern by age alone, and cloud migration does not automatically remove the controls it once needed. The durable answer is to harden the environment that actually exists, not the one roadmaps promise. Practitioners should prioritise enforceable layers over migration narratives.
From our research:
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
- That gap becomes more visible when teams need a practical operating model, which is why the NHI Lifecycle Management Guide is the right next step for provisioning, rotation, and offboarding decisions.
What this signals
Hybrid identity programmes are moving from migration projects to long-lived operating models, which means the real measure of maturity is whether governance stays coherent across both Active Directory and cloud identity. For teams working through that shift, the right reference point is the NIST Cybersecurity Framework 2.0 because it helps structure control ownership across identify, protect, detect, respond, and recover functions.
Identity drift debt: the longer cloud and on-premises identity coexist without a unified access model, the more entitlement mismatch accumulates across privileged users, service accounts, and application trust relationships. That debt shows up first as review fatigue and later as enforcement gaps, so practitioners should treat cross-environment consistency as a programme KPI rather than a migration by-product.
The next stage for many IAM teams is not a wholesale directory replacement but a deliberate tightening of hybrid control boundaries. That is where lifecycle governance, session policy, and access visibility need to converge, with the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs providing a useful framework for how governance should scale.
For practitioners
- Map the real hybrid identity estate Inventory where authentication, authorisation, and privileged administration actually occur across AD, cloud identity, and integrated applications. Use that map to identify duplicated controls, blind spots, and owners for each access path.
- Extend governance to both identity planes Run access reviews, privileged access checks, and lifecycle controls against AD and cloud identity together so entitlements are assessed as one programme rather than two disconnected ones.
- Harden Active Directory as a continuing control plane Apply MFA, contextual access controls, session monitoring, and policy enforcement around AD instead of treating it as a legacy exception that will soon disappear.
- Plan migration around business dependency, not calendar targets Classify applications by dependency, regulatory constraint, and control complexity so cloud migration decisions follow operational reality rather than arbitrary retirement goals.
Key takeaways
- Active Directory remains a live governance problem because hybrid identity is the dominant operating model for many enterprises.
- The evidence points to access drift, fragmented oversight, and long migration horizons rather than a quick move to cloud-only identity.
- IAM teams should manage AD as an active control plane and measure consistency across the full identity estate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Hybrid identity requires consistent access governance across cloud and AD. |
| NIST Zero Trust (SP 800-207) | AC-4 | The article's hybrid model depends on segmented trust and continuous verification. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Hybrid estates often include machine identities and service accounts managed inconsistently. |
Inventory non-human identities across AD-connected and cloud-connected workloads, then align rotation and offboarding.
Key terms
- Hybrid Identity: Hybrid identity is an operating model where organisations manage access across both on-premises and cloud identity systems. It usually combines Active Directory with cloud directory services, which means authentication, policy, and governance must stay consistent across two different control planes.
- Active Directory: Active Directory is Microsoft's directory service for managing users, groups, devices, and access in Windows-based environments. In modern enterprises it often remains a core identity platform, especially where legacy applications, local control, or regulated operating constraints still require on-premises governance.
- Identity Drift: Identity drift is the gradual divergence between where access exists and where it is governed. In hybrid estates it appears when cloud and on-premises entitlements are reviewed separately, policies diverge, or one platform grants access that the other cannot fully see.
- Lifecycle Governance: Lifecycle governance is the set of processes used to provision, review, change, and remove access over time. It applies to human, machine, and platform identities, and in hybrid environments it only works when both cloud and on-premises entitlements are governed through the same operating model.
What's in the full article
IS Decisions' full article covers the operational detail this post intentionally leaves for the source:
- The survey breakdown behind the 93% hybrid figure and what respondents said about long-term cloud-only timelines.
- The specific reasons organisations gave for staying on-premises, including application fit, control, cost, and availability concerns.
- The article's AD modernisation argument, including how the vendor frames Group Policy and layered security in practice.
- The contextual discussion of why some sectors are likely to remain hybrid or on-premises for much longer than cloud migration narratives suggest.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org